By now you’ve likely heard of the General Data Protection Regulation (GDPR), the new law going into effect on May 25, 2018, that regulates how organizations collect, use, and process the personal data of citizens of the European Union.
Even if your company is not based in the EU, you’re likely still impacted. Any organization that has contacts or customers who are European Union citizens needs to ensure that they’re GDPR compliant.
In case you’re unfamiliar with the new law, here’s a high-level overview of what it entails:
- The data of EU contacts must be processed in a transparent, fair, and lawful manner
- Data must be collected for purposes that are specified, explicit, and legitimate
- The data that is collected must be relevant and limited to what is necessary
- Data must be kept accurate and up-to-date
- Data should be held only for the time necessary and no longer
- All data must be securely processed
Event Farm is committed to privacy and security, and we’re giving you the tools you need to ensure that your events are in compliance with the new law. Take a look at the information below about how you’ll be able to use Event Farm to comply:
Sending invitations to contacts who have previously opted in
If you’re uploading guest lists and sending event email invitations to contacts located in the European Union, you’ll need proof that they’ve previously, actively, and explicitly opted in to receiving email communication from your organization.
As long as your primary marketing or email automation system is GDPR-compliant, it will have features that allow you to capture this information, which will ensure your compliance when sending event email invitations to those same contacts through Event Farm.
As always, Event Farm is intended to be used to contact only those potential invitees with whom you have an existing relationship or reason to contact. Do not use Event Farm to send invitations to purchased lists, rented lists, or third-party lists of any kind.
Getting consent from new contacts with GDPR-friendly event registration forms
Under the new law, organizations are required to obtain explicit, active consent when collecting a contact’s data, and to clearly state how that data will be used if and when a contact does give consent. This means you’ll need to obtain consent from anyone whose data you’re collecting during the event registration process, and you’ll also need to include messaging about how you plan to use the data they provide.
- Sign in to Event Farm and click on the “Account Info” tab. Note: You must be a Team Manager in order to access this tab.
If you would prefer to have guests opt-in to data processing for your organization separately from data processing through Event Farm, you can create custom opt-in text in the “Disclaimer” section of Web Presence, within the Registration Experience tab. Note: This will not remove the Event Farm consent from your registration site.
Practicing data minimization
GDPR requires that personal data collected and processed is limited to data that is relevant and necessary for the purpose for which it is being collected. This practice is also called data minimization. To practice data minimization, limit the questions you add to your registration form to those that are necessary for your event guests to answer in order for them to participate in your event.
You can also make question responses optional, so registrants can choose whether or not to respond to them, while still being able to attend the event.
To make a question optional for your registration form, uncheck the “make question required” checkbox when creating your question, or click “edit” for an existing question to change this setting.
Radio button and waiver question types of guest questions cannot be made optional. Instead, you can use a dropdown or checklist question type to collect an optional response.
As always, for guests in and outside of the EU, our terms of service do not allow collection of highly sensitive personal data, such as driver’s license or ID numbers, social security numbers, passport numbers, passwords, security credentials, or similar types of personal data.
Handling contact data requests
GDPR states that EU contacts have expanded rights when it comes to the use of their personal data. For example: users have the right to request that their data be deleted, moved, or corrected at any time.
If a contact reaches out to you with any of the above requests regarding data stored in Event Farm, please submit a support request here.
Ensuring data security compliance
The EU data regulation outlines a set of parameters that data processors must follow in order to meet compliance. Event Farm’s data processing procedures are compliant, and there is nothing more you need to do within the Event Farm platform to ensure that your contacts’ data is being processed in a lawful manner.
Disclaimer: This article is neither a complete documentation of EU data privacy nor legal advice for your company to use in complying with GDPR. It provides general background information about the law so you best understand how to use Event Farm to ensure that your event-specific campaigns are compliant.